A safety patch addressing a essential privilege escalation vulnerability that enables unauthorized customers to realize administrative entry to the information streaming platform.
The flaw, tracked as CVE-2025-47411 and rated essential, impacts Apache StreamPipes variations 0.69.0 by means of 0.97.0.
The vulnerability stems from a flawed consumer ID creation mechanism that allows legit non-administrator account holders to take advantage of JWT token manipulation.
By swapping their username for an current administrator account, attackers can escalate their privileges and achieve full administrative management of the appliance.
“A consumer with a legit non-administrator account can exploit a vulnerability within the consumer ID creation mechanism,” in line with the official advisory from Apache.
FieldValueCVE IDCVE-2025-47411Affected VersionsApache StreamPipes 0.69.0 – 0.97.0Vulnerability TypePrivilege Escalation by way of Consumer ID ManipulationAttack VectorJWT Token Manipulation
This vulnerability permits unauthorized customers to bypass entry controls and achieve unrestricted system privileges, creating vital safety dangers for organizations deploying StreamPipes.
As soon as attackers achieve administrative management, they will carry out numerous malicious actions, together with unauthorized knowledge entry and tampering with essential knowledge.
Modifying system configurations and doubtlessly compromising your entire knowledge streaming infrastructure.
The assault requires no superior technical abilities or exterior instruments, making it notably harmful for enterprises managing delicate knowledge pipelines.
StreamPipes, used for constructing and executing knowledge processing pipelines, typically handles delicate enterprise knowledge.
Compromised situations might expose proprietary info, operational knowledge, and buyer data to unauthorized events.
The vulnerability additionally presents provide chain dangers if StreamPipes situations are utilized in enterprise environments or built-in with essential enterprise programs.
Apache has launched model 0.98.0, which addresses this vulnerability.
The safety crew strongly recommends that every one customers working affected variations instantly improve to model 0.98.0 to get rid of the danger.
In keeping with the seclists.org advisory, organizations ought to prioritize making use of the patch as a result of vulnerability’s ease of exploitation and the extreme danger of administrative account compromise.
The vulnerability was found by Darren Xuan from Mantel Group, who acquired credit score for the accountable disclosure.
Safety directors ought to confirm their StreamPipes deployment variations instantly and schedule pressing patching actions to guard their knowledge streaming infrastructure from potential compromise.
Comply with us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to function your tales.
